Category Archives: Password

An Unexpected Consequence of Super-Stability

This would never have happened with Windows XP.

As I always do after a long day of driving I woke up this morning and reached for my phone.  I had driven 1,092kms the previous day, which meant that I spent my attention on the road and not on my phone – doubly so because it was a Sunday, and in my current role nothing earth-shattering ever happens on Sunday.  I did, however, check my email during the occasional stop… and it worked.

This morning it did not.

My email password for my @microsoft.com email account was not working, but I wasn’t worried… I was sure that I would log on and find out that there had been some glitch in the system between 7:48am and 7:51am, and that all was well.

…and then it occurred to me that it has been roughly a year to the day since I got my account, and it was possible that it had expired – or worse, not been renewed.

I checked Lync.  Lync works on an entirely different system than email, and it should work.

We can’t sign you in. Please check your account info and try again.”

Crap… this is serious… I may, as of this morning, no longer be an @microsoft.com!  That would be terrible for many reasons, not the least of which was that someone decided to shut me off without a conversation :(

When you log on to Windows 8 (or any version for that matter) Windows (Kerberos actually, but that’s another story) checks your credentials against an Active Directory Domain Controller.  It happens every time.  It doesn’t only check to see that your password is valid, it checks that your account is valid, and if your password is expired (or set to expire).  It gives you plenty of notice too… it will start warning you two weeks or so before the expiry date so that you don’t miss it.

Unfortunately it does not work the same way when waking your system from sleep or unlocking your previously authenticated account.  All it does is confirm that your account was valid when you last logged on, and that your password is correct.  Kerberos does not go out to Active Directory for this, it just checks the locally cached credentials.

So what happens in a world where Windows is so solid that you almost never have to log off?  In the last three weeks I have worked from the office in Mississauga, the office in Montreal, the office in Ottawa, several locations in Portland (Maine), and of course a weekend in Redmond and a day on campus… from hotel rooms, Internet cafes, and for 20 stressful minutes last week from the passenger seat of my wife’s minivan as we drove from Toronto to Montreal.  At the end of my session I simply closed the lid to my laptop and put it away,  or simply locked the screen.

In three weeks I have not had to log off my computer because Windows is so much more stable than it ever was.

The unfortunate and unexpected consequence to this, unfortunately, is that this morning rather than working from home as I had planned I had to come into the office because once that password expires you have to be physically connected to the internal network to change it… DirectAccess (one of the greatest tools ever invented for the purpose of working remotely) doesn’t cut it… because your credentials to connect are currently invalid!

So yes, my password expired.  No, my account has not been disabled, and yes, you are going to have to put up with me for a while longer.  However I hope you learn from my experience… if it’s been a while since you were prompted to change your password don’t wait… do it proactively so that you can work in your pajamas and avoid the Monday morning rush hour!

Passwords Revisited… a post from a fellow MVP

Many of you know that I am a fanatic about changing passwords and password complexity.  I have written time and again about the subject. (See Pass the Word…)

I am also a big hater of what my friend Dana Epp refers to as ‘Security Theatre.’  I have often berated people at Rogers, AT&T, and a plethora of other companies who ask me ‘and for security purposes can you please tell me your date of birth?’  REALLY? IT’S ON MY FACEBOOK PAGE!  How about you ask me what colour tie I wore to the last Black Tie event I attended, or what colour was the hockey puck we used when I played ice hockey?

I came across an article written by fellow Microsoft MVP Bill Pytlovany.  I have never met Bill but he makes some very good points about answering security questions (my mother’s maiden name is Brown by the way) that people should keep in mind when answering these questions.  Bill’s MVP Award is in Consumer Security, and I can see why.  Enjoy the article! –MDG

http://billpstudios.blogspot.ca/2013/02/banking-system-fails-due-to-security.html

Pass the Word…

padlockHow often do you change your online passwords?  If you are like the vast majority of us then the answer is not nearly often enough.  Until recently I fell into the same category, and fixing that took a little bit of doing.

One day several months ago I looked at Theresa and said ‘I think I am going to change all of my on-line passwords today.’  Easier said than done.

The first problem that I encountered was not an easy one – what passwords do I have?  I figured I must have dozens if not hundred of on-line accounts.  The not so simple task of creating a list of all of them was a task I was not looking forward to.

Like so many other things that I discuss, the old truism applies: If you cannot measure it then you cannot manage it.  I had to figure out a way to start tracking my on-line accounts.  Where should I start?

Of course there are easy ones – the low-hanging fruit.  My Microsoft Account (formerly Live ID) is tied to dozens of sits from Microsoft Learning to TechNet to Zune and Xbox and everything in between, not to mention my primary e-mail account.  By changing that password I immediately changed nearly half of the sites that I log in to.  Unfortunately the rest of them would not be that easy.

I decided to take a measured approach going forward.  I opened a text document on my laptop and named it passwords.txt.  Of course this file is not going to have any of my passwords in it – I have a pretty good memory, but some people like to use password vault software like AuthAnvil Password Server, which allows individuals and organizations to centrally organize, synchronize, and audit their passwords.  The only thing that I am keeping in my password text file is a simple list of all of the sites that I either have to type my password into or, in many cases, that I have logged into previously and clicked the ‘Remember my Password’ option in Internet Explorer. 

I kept this text file open for several days and was alarmed at how long it was getting.  The obvious ones are sites like on-line banking, social networking sites, and of course my blogs.  The next tier were sites like ebay (and PayPal), amazon.com, and YouTube.  Sites for my travel rewards points accounts (Aeroplan, AirMiles) came next, followed by things like DNS sites and Prometric.com (where I take my Microsoft exams).

After a few days I thought I was done, but just in case I saved the file to my desktop.  In the meantime the real work started.  I logged on to each of these sites and started changing passwords.  Of course I did not use the same password for each site, and for my own peace of mind I will not explain how I chose.  However I did make sure that all of my passwords were long enough and complex enough to thwart the average hacker (and onlooker). 

Next I watched my Inbox.  Many sites will send you an e-mail confirming that you made changes to the account.  I skimmed through each one carefully for two items: 1) Do I need to take any action (click a link, etc…) to confirm that I actually did make the changes, and 2) Does it say ‘You changed your password to P@$$w0rd.’ 

The first wasn’t a problem – I took the necessary steps.  However the second is more important; if any site sends you an e-mail with you password in clear text then you know that they are storing them that way (rather than using a one-way encrypted verification method).  I flagged these sites and made a notation to never use the same password on these as I do on any other site.  In the event that their site gets hacked not only would my account there be compromised, but you could be sure that the hackers would then try to use the same password against my account on other sites.  VERY DANGEROUS.

As I went from site to site I made notations on my text file list.  A dash next to an entry meant that the password has been changed; an asterix meant that the site e-mailed me in clear text.  An ampersand meant that it is an account that I share with my wife (I don’t share any accounts with anyone else), and so before I change that password I should let her know what it is going to be, lest she get locked out of anything important.

While I thought I was done, I left the text file on my desktop.  It does not take up a lot of real estate (especially since Windows 8 helps me to keep my desktop clean of shortcut icons), and I knew that as the weeks went on I would stumble upon the occasional site that did indeed slip my mind.

I dated the file and e-mailed it to myself; I set up an occurring calendar reminder telling me to change my passwords on a schedule.  While not all of my credentials need to be changed as often as others, it is still important to change them all a few times per year.  Now that I have the procedures in place, I will be able to do it without the anxiety that I faced the first time I went through it!

Oakville.com

Today is the day… My first article went live at Oakville.com, and that is very exciting for me.  It is great to be able to give back to the community where I live… that I have called home for the past five years.

It is amazing… the first time I spoke with my wife (Theresa) – we met on-line – she said that she lived in Oakville, and I said ‘Where’s that?’ I had moved to the Greater Toronto Area (more specifically Mississauga) two months earlier, and although I had heard of Oakville had no idea that it was ten minutes away down the 403 (or QEW… or Burnhamthorpe… or Dundas).  Now, nearly five years later, I consider it home, and do not want to live anywhere else.

So for my introductory article I wrote (as promised) about password security.  I hope you read it and like it! –M

http://www.oakville.com/articles/expert-advice-to-keep-your-passwords-safe/

Why we need a backup…

This is a story about IT Security.

It is hard to believe that within three weeks we have had our Kia Rondo.  However it is easy enough to gauge… we brought it home (used) on New Years Eve, December, 2009… When I drove Theresa to the hospital to deliver Gilad it was still on its first tank of gas.

Now, the fact that it has taken us this long to learn our lesson is testimony to our diligence, but nonetheless the lesson would eventually be learned.  New cars, as you know, come with two sets of keys.  Used cars, unfortunately, do not.  More often than not they come with only one, as is the case with the Rondo.  Theresa and I switch off driving the two cars every so often (usually when one needs gasoline or other maintenance I get it).  As such, we are usually pretty good about leaving the keys on the secretary by the door.

This past week-end was a disaster for me.  I got home from two weeks in South America & Mexico on Thursday, jetlagged and exhausted from the travel.  So much so that Saturday and Sunday I essentially slept all day, although I did venture out in the evening… on Saturday I took Theresa to Niagara Falls for dinner, and on Sunday after they came home from Buffalo I took her to a movie.  When I came home Theresa had warned me that both cars needed gas, so we drove the Toyota on Saturday (and I filled the tank) and the Kia on Sunday (and I filled the tank).  As we arrived home after the movie, there was a confluence of many irregularities – a dog jumping at the door, a phone ringing, and a need for the restroom. 

The keys to the Kia ended up in my pocket…

…and the following morning they came to the airport with me…

…and then they came to Halifax with me.

I checked into the Maple Leaf Lounge at the airport in Halifax when I called my beautiful, loving, absolutely understanding wife whom I love dearly and who is always the first person I call when I land anywhere.  I heard Gilad crying in the background, which was strange for the time of the morning when he was usually at daycare.  ‘No, nothing is wrong with him… but he is rather upset that you took my car keys and stranded us here.’

Oh, crap.

To cut a long story short, after losing most of a day, a very understanding friend drove my very loving and wonderful and understanding wife to the airport parking lot and picked up my car from the long-term parking lot.  It was a huge hassle, but all was well.

At this point – if not several paragraphs ago – you have probably started wondering why I prefaced this tale of an absent-minded husband as a story of IT Security.  Keep reading and all will be made clear!

Many small and mid-sized businesses rely on one person to be the ‘Keeper of the Keys’ for their network – one user’s account is the Domain Administrator, or Root account.  Of course it is best practice to not share passwords, so that person is the only person who knows the credentials.  In some cases, that ‘person’ is not even an employee, but an IT Service Provider, who maintains their computer for them.  While the skies are clear this poses no problem.  Too often I have heard horror stories of things going very bad very fast.

Over the course of my career I have received no fewer than a dozen calls from companies who needed for me to reclaim their networks following a falling-out with their former IT Manager.  In most of these cases the company had decided to lay them off because they were going to outsource their IT services, although on a couple of occasions there was a fight between the owner and the IT guy who stormed off in a huff.  In one unfortunate case the IT guy died suddenly in a car accident.

On the other side of the same coin, I have on a number of occasions been told by IT service providers that their clients were late paying their bills, so they were going to deny them service and would not provide any credentials until all of the accounts were adequately settled.  I advised these IT pros that while I understood their frustrations, they were likely breaking the law and opening themselves up to legal action that would far outweigh any disputed monies.  I can only hope that they followed my advice and reversed their stances… As they did not name the client, there was no way for me to follow up on that.

While the IT guy who refuses to share the credentials is breaking the law (except for the guy who died, who was pretty action-proof) it is the company that suffers until the issue is resolved.  Resolving the issue – either technologically or legally – can be time consuming and costly.  It is also a situation that is very easy to avoid.

I do not think the solution is giving anyone in the company Admin/Root credentials… nobody should ever have higher credentials than they need to do their job.  What I would recommend, however, is that a second Admin/Root account be created with a long and super-complex password.  Those credentials should be stored separately and securely in sealed envelopes that hopefully will never need to be used.  However just like having a spare set of keys, it is a safety net against the sudden souring of the relationship between the SMB and the IT provider, whether that provider be an employee or contractor.

This plan is unfortunately not bullet proof.  It would be simple for the provider to either disable this account or change those credentials.  Legally speaking this would be an overt criminal act, but the jaded tech may not be concerned about that.  That is why it is crucial that companies manage their HR – specifically their layoffs – carefully.  If they are planning to lay off their administrator it is a good practice to use the following steps:

  1. Plan the timing carefully.
  2. Before you call your administrator into your office for that uncomfortable conversation, ensure that those credentials work, and access the Active Directory Users and Computers console using that account.
  3. When you know that he is waiting to come into your office, disable his account.

It is unfortunate, but a jaded former employee can cause a lot of damage.  I have heard horror stories of companies laying off their IT manager, but not disabling their account.  That laid off employee then goes back to their desk and starts wreaking havoc on the network.  The IT administrator is, unfortunately, not a position that you can lay off and give them two weeks notice, expecting they will faithfully continue to perform their duties.  If you are getting rid of the IT admin, you have to pay their settlement out but terminate their employment – along with their credentials – immediately.

If you think you may be protected by loyalty, remember that you are about to demonstrate a termination of that two0way loyalty street.  In cases I have been involved in neither long-time friendships nor family relations have protected the company. 

I am not saying that this will happen in every case, but you cannot gamble that it will not happen to you.  Don’t take the chance, and you will never have to write an article about how loving and understanding your wife is because you flew to Halifax with her keys Winking smile

Cover Your A$$ – Secure Your WiFi Now!

I honestly hate saying ‘I told you so.’

For years I have been telling everyone who will listen (and a lot of people who didn’t want to) about the importance of securing wireless networks.  I’ve told stories about the possible consequences, and have scared some of them into doing the right thing.  Unfortunately far too often my pleas have fallen on deaf ears.

Don’t get me wrong… like anyone else who has ever hopped on an unsecured access point to check my e-mail, I appreciate that so many people have made it unnecessary to actually hack secured wireless networks – which of course might be considered illegal so I would never actually do it.  However my convenience should be trumped by the well-being of the masses.

As was reported by Carolyn Thompson in the Toronto Star (c/o Associated Press) there have been several cases recently where innocent albeit naive wifi users have gotten a very rude awakening.  At least one such user was awakened very rudely by heavily armed agents of the FBI and/or ICE (Immigration and Customs Enforcement) raiding their houses after having tracked child pornographers to their networks (See the full article at http://www.thestar.com/living/article/979849–no-password-on-your-wi-fi-this-nightmare-could-happen-to-you).

The Internet is so often equated to the Wild West… a potentially lawless society with hoodlums and gangsters and very little law enforcement to speak of… and it’s true.  A friend of mine who works in cyber-crime for a major American law enforcement agency confirmed that it likely only 1-3% of cyber-criminals are ever arrested.  With that being said, the Wild West had sheriffs, posses, and eventually the US Army.  SOME cyber-criminals are pursued, arrested, and convicted. 

I don’t know what percentage of cyber-criminals captured are child-pornographers, but I would not be surprised if it was a very high number, and for good reason.  I do know that of all criminals, most law enforcement officers view them as the lowest of the low – as the AP article demonstrates they are seldom arrested politely and calmly.  I have heard of several cases of mistaken identity because child pornographers are smart enough to try to cover their tracks, and the difference between them going through you or not is as simple as a couple of check-boxes and a password on your wireless access point… so what’s stopping you?

If you are uncomfortable trying to configure this encryption and password yourself, I implore you once again to ask for help, or if you must take your router to a Geek-Squad-type service who will do it for you.  Trust me, it is a small investment compared to what could happen.